We receive, collect, store, process, transfer, share and otherwise use or host information about individuals and/or that constitutes "personal data," "personal information," "personally identifiable information," or similar terms under applicable data privacy laws (collectively, "Personal Information"), including data relating to users of our offerings, our employees and contractors, and other persons.
We have legal and contractual obligations regarding the protection of confidentiality and appropriate use of certain data, including Personal Information and other sensitive information about individuals. We are subject to numerous federal, state, local, and international laws, directives, and regulations regarding privacy, data protection, and data security and the collection, storing, sharing, use, processing, transfer, disclosure, disposal, and protection of Personal Information and other data, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions or conflict with other legal and regulatory requirements. We are also subject to certain contractual obligations to customers and other third parties related to privacy, data protection and data security. The regulatory framework for privacy, data protection and data security worldwide is, and is likely to remain for the foreseeable future, uncertain, complex and lacking worldwide unified standards, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that we do not anticipate or that is inconsistent from one jurisdiction to another and may conflict with other legal obligations or our practices. Further, any significant change to applicable laws, regulations or industry practices regarding the collection, use, retention, hosting, security, processing, transfer or disclosure of Personal Information, or their interpretation, or any changes regarding the manner in which the consent of users or other data subjects for the collection, use, retention, security, processing, transfer or disclosure of such Personal Information must be obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to receive, collect, store, host, process, transfer, and otherwise use user data or develop new services and features. Further, there has been a substantial increase in legislative activity and regulatory focus on data privacy and security in the United States and elsewhere, including in relation to cybersecurity incidents. In addition, some such requirements place restrictions on our ability to process Personal Information across our business or across country borders.
In the United States, the FTC and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination, and security of data. Such standards require us to publish statements that describe how we handle Personal Information and choices individuals may have about the way we handle their Personal Information. If such information that we publish is considered untrue or inaccurate, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Moreover, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep consumers' Personal Information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
State consumer protection laws provide similar causes of action for unfair or deceptive practices. Further, data privacy advocates and industry groups have regularly proposed and sometimes approved, and may propose and approve in the future, self-regulatory standards with which we must legally comply or that contractually apply to us.
Our communications with our clients are subject to certain laws and regulations, including the Controlling the Assault of Non-Solicited Pornography and Marketing Act (the "CAN-SPAM Act"), the Telephone Consumer Protection Act (the "TCPA"), and the Telemarketing Sales Rule and analogous state laws, that could expose us to significant damages awards, fines and other penalties that could materially impact our business. For example, the TCPA imposes various consumer consent requirements and other restrictions in connection with certain telemarketing activity and other communication with consumers by phone, fax or text message. The CAN-SPAM Act and the Telemarketing Sales Rule and analogous state laws also impose various restrictions on marketing conducted use of email, telephone, fax or text message. As laws and regulations, including FTC enforcement, rapidly evolve to govern the use of these communications and marketing platforms, the failure by us, our employees or third parties acting at our direction to abide by applicable laws and regulations could adversely impact our business, financial condition and results of operations or subject us to fines or other penalties.
Various other U.S. federal privacy laws are relevant to our business, including the Family Educational Rights and Privacy Act ("FERPA") and the Children's Online Privacy Protection Act ("COPPA"), While we are not directly subject to FERPA or COPPA, our contracts with certain educational institution customers impose obligations on us related to FERPA and COPPA. Any actual or perceived failure to comply with these laws could result in a costly investigation or litigation resulting in potentially significant liability, injunctions and other consequences, loss of trust by our users, and a material and adverse impact on our reputation and business.
In addition, many state legislatures have adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security, and data breaches. For example, the CCPA, provides data privacy rights for California residents and imposes operational requirements on covered companies, such as obligations to provide disclosures to California residents and receive and respond to data privacy rights requests. An amendment to the CCPA created a state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. The CCPA marked the beginning of a trend toward more stringent data privacy legislation in the United States, which could also increase our potential liability and adversely affect our business, with "copycat" laws or other similar laws being passed or proposed in numerous states across the country.
This legislation may add additional complexity, variation in requirements, restrictions, and potential legal risk, require additional investment in resources to compliance programs, could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies.
In addition, some laws may require us to notify governmental authorities and/or affected individuals of data breaches involving certain personal information or other unauthorized or inadvertent access to or disclosure of such information. We may need to notify governmental authorities and affected individuals with respect to such incidents. For example, laws in all 50 U.S. states may require businesses to provide notice to consumers whose personal information has been disclosed as a result of a data breach. These laws are not consistent with each other, and compliance in the event of a widespread data breach may be difficult and costly. We also may be contractually required to notify consumers or other counterparties of a security incident, including a breach. Regardless of our contractual protections, any actual or perceived security incident or breach, or breach of our contractual obligations, could harm our reputation and brand, expose us to potential liability or require us to expend significant resources on data security and in responding to any such actual or perceived breach.
In addition, in the EU and the UK, we are subject to the European Union General Data Protection Regulation (the "EU GDPR") and to the United Kingdom General Data Protection Regulation and UK Data Protection Act 2018 (collectively, the "UK GDPR") (the EU GDPR and UK GDPR together referred to as the "GDPR"). The GDPR imposes comprehensive data privacy compliance obligations in relation to our collection, use, sharing, disclosure and other processing of personal data relating to an identified or identifiable individual or "personal information" (or "personal data"), including a principle of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit.
Among other requirements, the GDPR regulates the transfer of personal information outside of the European Economic Area ("EEA") and the UK to third countries that have not been found to provide adequate protection for such personal information, including the United States.
We are certified under the EU-US Data Privacy Framework ("DPF") and currently rely on the DPF and on the UK Extension to the DPF to transfer certain personal information from the EEA and the UK, accordingly, to the United States to the extent the transfer is made to a DPF certified entity.
We also rely on the EU standard contractual clauses ("SCCs") and the UK Addendum to the SCCs, as relevant, to transfer personal information outside the EEA and the UK with respect to both intragroup and third party transfers. We expect the existing legal complexity and uncertainty regarding international personal information transfers to continue. In particular, we expect the European Commission approval of the DPF for data transfers to certified entities in the United States to be challenged and further interpreted and developed, and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors, implement alternative data transfer mechanisms and/or take additional compliance and operational measures; and/or it could otherwise affect the manner in which we provide our services, and could adversely affect our business, operations and financial condition.
Since we are subject to the supervision of relevant data protection authorities under both the EU GDPR and the UK GDPR, we could be fined under each of these regimes independently in respect of the same breach. Penalties for certain breaches are up to the greater of €20 million / GBP 17.5 million or 4% of global annual turnover for the preceding financial year for the most serious violations. The GDPR also provides for a right to compensation for material or non-material damage claimed by individuals. In addition to the foregoing, a breach of the GDPR could result in regulatory investigations, reputational damage, orders to cease or change our processing of our data, enforcement notices and/or assessment notices (for a compulsory audit).
We are also subject to evolving EU and UK privacy laws on cookies, tracking technologies and e-marketing. Recent European court and regulator decisions are driving increased attention to cookies and tracking technologies. If the trend of increasing enforcement by regulators of the strict approach to opt-in consent for all but essential use cases, as seen in recent guidance and decisions continues, this could lead to additional costs, require systems changes, limit the effectiveness of our marketing and personalization activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. There can be no assurances that we will be successful in our efforts to comply with such laws; violations of such laws could result in regulatory investigations, fines, orders to cease or change our use of such technologies, as well as civil claims including class actions, and reputational damage.